2016-08-22 05:34 AM - edited 2016-08-22 05:37 AM
we have a nice netapp cluster with 8.3.1 running.
We have multiple vservers for NFS iscsci and CIFS. I am running into the following problem.
A linux coworker of mine is able to mount all the NFS volumes on my filers within /
We have NFS export policies enabled with allows servers in 2 vlans with acces to certain mounts.
However, my coworker can mount / and see all the mounts on the filers.(because he is in one of the 2 vlans)
How can I disable this? The volumes are all mounted under namespaces under /.
So if I remove the export rights of / all the other volumes beneath / will also be unmountable?
2016-08-22 05:50 AM
Yes, you do. Clients must be able to traverse junction tree starting from the top (i.e. "/"), which means "/" must allow at least read-only mount. The only way to harden it would be to restrict visibility of files/directories under "/", so that even if clients mount it, they won't be able to see its content.
2016-08-22 06:43 AM
Set "/" unix-permissions to something like 0711 (of course make sure owner is root) and create mninimal export-policy that only allows ro mount, but no rw, no root etc. Then nobody can list content of /, but still explicitly enter subvolumes or mount them.